In early 2025, Palo Alto Networks analyzed over 16 million security samples across global Industrial Control Systems (ICS) and Operational Technology (OT) environments to help CISOs quantify the business impact of emerging industrial threats. By collecting data from over 60,000 OT firewalls worldwide and synthesizing telemetry from WildFire, Advanced URL Filtering (AURL), and Advanced DNS Security (ADNS), this report clarifies how sophisticated actors like LockBit and Trickbot bypass traditional perimeter defenses to target critical factory automation and electrical grid protocols. We provide these insights to help executive leaders prioritize security investments, reduce the risk of operational downtime, and ensure regulatory compliance across distributed global footprints.
Address the disproportionate impact of high-volume security events to preserve system availability. While 89% of observed OT samples fall into the "inconclusive unknown" category, they generate over 30% of total security events, contributing significantly to SOC alert fatigue. Conversely, malicious unknowns—comprising only 1.9% of samples—already impact 17% of surveyed organizations. By focusing on these high-impact-to-volume ratios, you reduce the risk of a single overlooked event escalating into a production-stopping incident.
Neutralize large-scale, non-specific campaigns that target unique industrial endpoints. Analysis of a major 2024 threat spike revealed that while 66% of samples were benign, 83.5% of the total detection volume originated from just four LockBit samples. These "droppers" use stealthy decryption techniques to bypass legacy antivirus before downloading ransomware payloads. Implementing multi-stage detection prevents these actors from establishing the initial access required to disrupt operations or exfiltrate sensitive industrial IP.
Protect specialized OT protocols from sophisticated initial access brokers like Trickbot. Our research into 157 OT ports identifies significant risks to Port 55000 (FL-net for factory automation) and Ports 50006, 50016, and 50028 (electrical transmission grid management). Because Trickbot often serves as a precursor to high-impact ransomware or wiper payloads, monitoring these specific ports for Trojan activity ensures that localized infections do not scale into systemic infrastructure failures.
Block covert attack techniques that evade standard network monitoring by inspecting DNS-level activity. In OT environments, nearly 11.5% of DNS threats involve "Claimable NX domains"—expired domains that attackers purchase to hijack legacy traffic. Additionally, DNS tunneling for data exfiltration accounts for over 132,000 blocked daily requests, particularly in the manufacturing sector. Strengthening your DNS security posture prevents attackers from using these persistent, low-noise channels for command-and-control (C2) or unauthorized data transfer.
Optimize global resource allocation by targeting high-activity hotspots and industry-specific vectors. Geographical data shows concentrated risks in nations like Senegal, the UK, and the US, while industry analysis reveals that the High Tech and Healthcare sectors face over 50% of all ransomware-related sessions. By understanding these distribution patterns, you ensure that compliance and risk-reduction efforts focus on the areas of highest business exposure, avoiding the inefficiencies of a uniform global spend.
Gain a strategic advantage by acting earlier in the attack lifecycle to disrupt threats before they impact physical operations. While the data from 2025 highlights the scale of the challenge, our joint research with Siemens and the Idaho National Laboratory (INL) provides the blueprint for active defense. The Intelligence-Driven Active Defense Report 2026 reveals a 332% increase in unique internet-exposed OT devices, with nearly 20 million OT-related services now observable on the public internet.
In an OT environment, defense is a race against time; the edge is where you still have the opportunity to win. By combining 20 years of historical incident data with global telemetry from over 61,000 firewalls, this research proves that industrial threats persist well before they reach the heart of your operations. Use these insights to transform your security posture from reactive monitoring to proactive risk mitigation, ensuring your organization remains resilient in an expanding threat landscape.
Download the full report: Intelligence-Driven Active Defense 2026.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 3 Likes | |
| 3 Likes | |
| 2 Likes | |
| 2 Likes |
| User | Likes Count |
|---|---|
| 6 | |
| 5 | |
| 4 | |
| 2 | |
| 2 |
